Overview
overview
10Static
static
10fe25de503f...5a.exe
windows7-x64
10fe25de503f...5a.exe
windows10-2004-x64
10fe282eaa90...45.exe
windows7-x64
10fe282eaa90...45.exe
windows10-2004-x64
10fe402f76d3...4d.exe
windows7-x64
10fe402f76d3...4d.exe
windows10-2004-x64
10fe55574c53...c0.exe
windows7-x64
1fe55574c53...c0.exe
windows10-2004-x64
5fe8a65a43d...3f.exe
windows7-x64
7fe8a65a43d...3f.exe
windows10-2004-x64
7fe99ddfdfc...6c.exe
windows7-x64
10fe99ddfdfc...6c.exe
windows10-2004-x64
10feb2c82a66...50.exe
windows7-x64
10feb2c82a66...50.exe
windows10-2004-x64
10fef2b831e5...91.exe
windows7-x64
8fef2b831e5...91.exe
windows10-2004-x64
8ff03c0c01a...cd.exe
windows7-x64
7ff03c0c01a...cd.exe
windows10-2004-x64
10ff1699c2d9...5a.exe
windows7-x64
10ff1699c2d9...5a.exe
windows10-2004-x64
10ff573ccb26...dd.exe
windows7-x64
10ff573ccb26...dd.exe
windows10-2004-x64
10ff5eef1816...3f.exe
windows7-x64
10ff5eef1816...3f.exe
windows10-2004-x64
10ff9b69031d...c2.exe
windows7-x64
10ff9b69031d...c2.exe
windows10-2004-x64
10ffc0421dee...0b.exe
windows7-x64
10ffc0421dee...0b.exe
windows10-2004-x64
7ffc45f2c58...73.exe
windows7-x64
10ffc45f2c58...73.exe
windows10-2004-x64
10fffa7ee6ec...91.exe
windows7-x64
10fffa7ee6ec...91.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:18
Behavioral task
behavioral1
Sample
fe25de503f5fa57842d11d2180a935855b8f89b23fd6fa95ff10272cee5f305a.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
fe25de503f5fa57842d11d2180a935855b8f89b23fd6fa95ff10272cee5f305a.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral3
Sample
fe282eaa9036b889aafc6db602127b45.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
fe282eaa9036b889aafc6db602127b45.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
fe55574c53882722b864ad5f07d521c0.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
fe55574c53882722b864ad5f07d521c0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
fe8a65a43dcdd12c0341ab7e5cc56c3f.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
fe8a65a43dcdd12c0341ab7e5cc56c3f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
fe99ddfdfc78f8223ddd4511fafbccd50e22d089c428f9c6cea01d89b2142c6c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
feb2c82a6695709d9304734b55a6a350.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
feb2c82a6695709d9304734b55a6a350.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
fef2b831e5d7a921a1fce11bc1827b87250bbca7552946a14444c35dbc4e1591.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
fef2b831e5d7a921a1fce11bc1827b87250bbca7552946a14444c35dbc4e1591.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
ff03c0c01a5acef84aa5acdf32b445cd.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
ff03c0c01a5acef84aa5acdf32b445cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
ff1699c2d9f4f22e51e270417a93a15a.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
ff1699c2d9f4f22e51e270417a93a15a.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral21
Sample
ff573ccb268f734e737c764bc60f0ddd.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
ff573ccb268f734e737c764bc60f0ddd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
ff5eef1816b5037715c6da38464a8a3f.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
ff5eef1816b5037715c6da38464a8a3f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
ff9b69031d761a8641f29c72ab6db843864620d9db1b867995e370840a891cc2.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
ff9b69031d761a8641f29c72ab6db843864620d9db1b867995e370840a891cc2.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
ffc0421deeff7949183a7fbc2e55850b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
ffc0421deeff7949183a7fbc2e55850b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
ffc45f2c5865480a76df2d8f64009673.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
ffc45f2c5865480a76df2d8f64009673.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
fffa7ee6ec076412930605bd55bbc491.exe
Resource
win7-20240903-en
General
-
Target
ff5eef1816b5037715c6da38464a8a3f.exe
-
Size
1.1MB
-
MD5
ff5eef1816b5037715c6da38464a8a3f
-
SHA1
ba123a98299528f73ad8cbfa234d3fd9a78c47f5
-
SHA256
66495902f22ee35be8d28b76ed4bee1a60e9b39bbddba2118e8dcac14ed24104
-
SHA512
daa099d8a747e563a7371500abba63f9c1746eb6916d233949b20e99ab11408caac85e49638e3f5d14757180c53477ec1d9bf99f99d99636c17aa819d62d802c
-
SSDEEP
12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\System32\\enterpriseresourcemanager\\RuntimeBroker.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\", \"C:\\Windows\\System32\\enterpriseresourcemanager\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\clb\\backgroundTaskHost.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\dwmredir\\dwm.exe\", \"C:\\Users\\All Users\\ssh\\unsecapp.exe\", \"C:\\Documents and Settings\\OfficeClickToRun.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 1680 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 1680 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 1680 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 1680 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 1680 schtasks.exe 88 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 1680 schtasks.exe 88 -
UAC bypass 3 TTPs 51 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ff5eef1816b5037715c6da38464a8a3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ff5eef1816b5037715c6da38464a8a3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ff5eef1816b5037715c6da38464a8a3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6096 powershell.exe 5940 powershell.exe 728 powershell.exe 1036 powershell.exe 3084 powershell.exe 3528 powershell.exe 6128 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts ff5eef1816b5037715c6da38464a8a3f.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation ff5eef1816b5037715c6da38464a8a3f.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation unsecapp.exe -
Executes dropped EXE 16 IoCs
pid Process 5792 unsecapp.exe 1452 unsecapp.exe 4116 unsecapp.exe 1284 unsecapp.exe 3076 unsecapp.exe 396 unsecapp.exe 4664 unsecapp.exe 4840 unsecapp.exe 2716 unsecapp.exe 4568 unsecapp.exe 112 unsecapp.exe 1964 unsecapp.exe 2436 unsecapp.exe 2024 unsecapp.exe 4768 unsecapp.exe 5112 unsecapp.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\clb\\backgroundTaskHost.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Documents and Settings\\OfficeClickToRun.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Documents and Settings\\OfficeClickToRun.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\7-Zip\\Lang\\dwm.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\enterpriseresourcemanager\\RuntimeBroker.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\enterpriseresourcemanager\\RuntimeBroker.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\clb\\backgroundTaskHost.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\dwmredir\\dwm.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\dwmredir\\dwm.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\ssh\\unsecapp.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\All Users\\ssh\\unsecapp.exe\"" ff5eef1816b5037715c6da38464a8a3f.exe -
Checks whether UAC is enabled 1 TTPs 34 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ff5eef1816b5037715c6da38464a8a3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ff5eef1816b5037715c6da38464a8a3f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\System32\clb\eddb19405b7ce1 ff5eef1816b5037715c6da38464a8a3f.exe File opened for modification C:\Windows\System32\enterpriseresourcemanager\RCX5BD1.tmp ff5eef1816b5037715c6da38464a8a3f.exe File opened for modification C:\Windows\System32\clb\RCX5DD5.tmp ff5eef1816b5037715c6da38464a8a3f.exe File created C:\Windows\System32\dwmredir\dwm.exe ff5eef1816b5037715c6da38464a8a3f.exe File opened for modification C:\Windows\System32\dwmredir\dwm.exe ff5eef1816b5037715c6da38464a8a3f.exe File created C:\Windows\System32\dwmredir\6cb0b6c459d5d3 ff5eef1816b5037715c6da38464a8a3f.exe File created C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe ff5eef1816b5037715c6da38464a8a3f.exe File created C:\Windows\System32\clb\backgroundTaskHost.exe ff5eef1816b5037715c6da38464a8a3f.exe File opened for modification C:\Windows\System32\dwmredir\RCX52B5.tmp ff5eef1816b5037715c6da38464a8a3f.exe File opened for modification C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe ff5eef1816b5037715c6da38464a8a3f.exe File opened for modification C:\Windows\System32\clb\backgroundTaskHost.exe ff5eef1816b5037715c6da38464a8a3f.exe File created C:\Windows\System32\enterpriseresourcemanager\9e8d7a4ca61bd9 ff5eef1816b5037715c6da38464a8a3f.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\dwm.exe ff5eef1816b5037715c6da38464a8a3f.exe File created C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3 ff5eef1816b5037715c6da38464a8a3f.exe File opened for modification C:\Program Files\7-Zip\Lang\RCX59BD.tmp ff5eef1816b5037715c6da38464a8a3f.exe File opened for modification C:\Program Files\7-Zip\Lang\dwm.exe ff5eef1816b5037715c6da38464a8a3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings ff5eef1816b5037715c6da38464a8a3f.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings unsecapp.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4664 schtasks.exe 3468 schtasks.exe 4036 schtasks.exe 4576 schtasks.exe 4672 schtasks.exe 4688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 2220 ff5eef1816b5037715c6da38464a8a3f.exe 728 powershell.exe 728 powershell.exe 3084 powershell.exe 3084 powershell.exe 1036 powershell.exe 1036 powershell.exe 6128 powershell.exe 6128 powershell.exe 5940 powershell.exe 5940 powershell.exe 6096 powershell.exe 6096 powershell.exe 3528 powershell.exe 3528 powershell.exe 3528 powershell.exe 5940 powershell.exe 3084 powershell.exe 728 powershell.exe 1036 powershell.exe 6128 powershell.exe 6096 powershell.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe 5792 unsecapp.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2220 ff5eef1816b5037715c6da38464a8a3f.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeDebugPrivilege 728 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 6128 powershell.exe Token: SeDebugPrivilege 5940 powershell.exe Token: SeDebugPrivilege 3528 powershell.exe Token: SeDebugPrivilege 6096 powershell.exe Token: SeDebugPrivilege 5792 unsecapp.exe Token: SeDebugPrivilege 1452 unsecapp.exe Token: SeDebugPrivilege 4116 unsecapp.exe Token: SeDebugPrivilege 1284 unsecapp.exe Token: SeDebugPrivilege 3076 unsecapp.exe Token: SeDebugPrivilege 396 unsecapp.exe Token: SeDebugPrivilege 4664 unsecapp.exe Token: SeDebugPrivilege 4840 unsecapp.exe Token: SeDebugPrivilege 2716 unsecapp.exe Token: SeDebugPrivilege 4568 unsecapp.exe Token: SeDebugPrivilege 112 unsecapp.exe Token: SeDebugPrivilege 1964 unsecapp.exe Token: SeDebugPrivilege 2436 unsecapp.exe Token: SeDebugPrivilege 2024 unsecapp.exe Token: SeDebugPrivilege 4768 unsecapp.exe Token: SeDebugPrivilege 5112 unsecapp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 5940 2220 ff5eef1816b5037715c6da38464a8a3f.exe 99 PID 2220 wrote to memory of 5940 2220 ff5eef1816b5037715c6da38464a8a3f.exe 99 PID 2220 wrote to memory of 728 2220 ff5eef1816b5037715c6da38464a8a3f.exe 100 PID 2220 wrote to memory of 728 2220 ff5eef1816b5037715c6da38464a8a3f.exe 100 PID 2220 wrote to memory of 1036 2220 ff5eef1816b5037715c6da38464a8a3f.exe 101 PID 2220 wrote to memory of 1036 2220 ff5eef1816b5037715c6da38464a8a3f.exe 101 PID 2220 wrote to memory of 3084 2220 ff5eef1816b5037715c6da38464a8a3f.exe 102 PID 2220 wrote to memory of 3084 2220 ff5eef1816b5037715c6da38464a8a3f.exe 102 PID 2220 wrote to memory of 3528 2220 ff5eef1816b5037715c6da38464a8a3f.exe 103 PID 2220 wrote to memory of 3528 2220 ff5eef1816b5037715c6da38464a8a3f.exe 103 PID 2220 wrote to memory of 6128 2220 ff5eef1816b5037715c6da38464a8a3f.exe 104 PID 2220 wrote to memory of 6128 2220 ff5eef1816b5037715c6da38464a8a3f.exe 104 PID 2220 wrote to memory of 6096 2220 ff5eef1816b5037715c6da38464a8a3f.exe 105 PID 2220 wrote to memory of 6096 2220 ff5eef1816b5037715c6da38464a8a3f.exe 105 PID 2220 wrote to memory of 1348 2220 ff5eef1816b5037715c6da38464a8a3f.exe 113 PID 2220 wrote to memory of 1348 2220 ff5eef1816b5037715c6da38464a8a3f.exe 113 PID 1348 wrote to memory of 1008 1348 cmd.exe 115 PID 1348 wrote to memory of 1008 1348 cmd.exe 115 PID 1348 wrote to memory of 5792 1348 cmd.exe 117 PID 1348 wrote to memory of 5792 1348 cmd.exe 117 PID 5792 wrote to memory of 4076 5792 unsecapp.exe 119 PID 5792 wrote to memory of 4076 5792 unsecapp.exe 119 PID 5792 wrote to memory of 5756 5792 unsecapp.exe 120 PID 5792 wrote to memory of 5756 5792 unsecapp.exe 120 PID 4076 wrote to memory of 1452 4076 WScript.exe 122 PID 4076 wrote to memory of 1452 4076 WScript.exe 122 PID 1452 wrote to memory of 3468 1452 unsecapp.exe 123 PID 1452 wrote to memory of 3468 1452 unsecapp.exe 123 PID 1452 wrote to memory of 2428 1452 unsecapp.exe 124 PID 1452 wrote to memory of 2428 1452 unsecapp.exe 124 PID 3468 wrote to memory of 4116 3468 WScript.exe 126 PID 3468 wrote to memory of 4116 3468 WScript.exe 126 PID 4116 wrote to memory of 2112 4116 unsecapp.exe 128 PID 4116 wrote to memory of 2112 4116 unsecapp.exe 128 PID 4116 wrote to memory of 4936 4116 unsecapp.exe 129 PID 4116 wrote to memory of 4936 4116 unsecapp.exe 129 PID 2112 wrote to memory of 1284 2112 WScript.exe 137 PID 2112 wrote to memory of 1284 2112 WScript.exe 137 PID 1284 wrote to memory of 4448 1284 unsecapp.exe 138 PID 1284 wrote to memory of 4448 1284 unsecapp.exe 138 PID 1284 wrote to memory of 3652 1284 unsecapp.exe 139 PID 1284 wrote to memory of 3652 1284 unsecapp.exe 139 PID 4448 wrote to memory of 3076 4448 WScript.exe 140 PID 4448 wrote to memory of 3076 4448 WScript.exe 140 PID 3076 wrote to memory of 3684 3076 unsecapp.exe 141 PID 3076 wrote to memory of 3684 3076 unsecapp.exe 141 PID 3076 wrote to memory of 5716 3076 unsecapp.exe 142 PID 3076 wrote to memory of 5716 3076 unsecapp.exe 142 PID 3684 wrote to memory of 396 3684 WScript.exe 143 PID 3684 wrote to memory of 396 3684 WScript.exe 143 PID 396 wrote to memory of 5536 396 unsecapp.exe 144 PID 396 wrote to memory of 5536 396 unsecapp.exe 144 PID 396 wrote to memory of 4192 396 unsecapp.exe 145 PID 396 wrote to memory of 4192 396 unsecapp.exe 145 PID 5536 wrote to memory of 4664 5536 WScript.exe 146 PID 5536 wrote to memory of 4664 5536 WScript.exe 146 PID 4664 wrote to memory of 4076 4664 unsecapp.exe 147 PID 4664 wrote to memory of 4076 4664 unsecapp.exe 147 PID 4664 wrote to memory of 1064 4664 unsecapp.exe 148 PID 4664 wrote to memory of 1064 4664 unsecapp.exe 148 PID 4076 wrote to memory of 4840 4076 WScript.exe 150 PID 4076 wrote to memory of 4840 4076 WScript.exe 150 PID 4840 wrote to memory of 4120 4840 unsecapp.exe 151 PID 4840 wrote to memory of 4120 4840 unsecapp.exe 151 -
System policy modification 1 TTPs 51 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ff5eef1816b5037715c6da38464a8a3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ff5eef1816b5037715c6da38464a8a3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ff5eef1816b5037715c6da38464a8a3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" unsecapp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" unsecapp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe"C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ff5eef1816b5037715c6da38464a8a3f.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dwmredir\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\unsecapp.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\OfficeClickToRun.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dwm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\clb\backgroundTaskHost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6096
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Uc8ws4IVzw.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1008
-
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5792 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca79cd5-c86d-4239-a167-ce5d43c86842.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1452 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\397b9676-34f6-4710-b3e6-8aa3742c11c5.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4116 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\765d682c-f09e-44ad-9e6d-2607764bf11a.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8064504-1ef5-437a-a621-985081a5368b.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3076 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59256ace-87a9-4c8c-aec6-52995fc46301.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:396 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2617ac0f-4891-4a53-a8ec-3d367fb10bf2.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6f4427b-69dc-425c-a4d2-e7e1d2b83a2a.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4840 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51e5228e-f6a2-4718-a8bb-e9b6384ccb19.vbs"18⤵PID:4120
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2716 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d137b0d4-a7f5-4aa1-b56a-37dc83a284fd.vbs"20⤵PID:2576
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4568 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5940e895-e874-4a23-9d5b-8e07697ea3cb.vbs"22⤵PID:864
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2ea51be-f0d2-47d2-b753-8e93cff9c522.vbs"24⤵PID:6092
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"25⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1964 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\614e0ae2-adc0-442a-8d4b-f30195023730.vbs"26⤵PID:528
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"27⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2436 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\696fb501-1694-4bbf-a0d0-fa4969f9ccd5.vbs"28⤵PID:2184
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"29⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2024 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edc114b7-f727-4140-baf7-2daf01b654e1.vbs"30⤵PID:3052
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"31⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4768 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d454f304-4d8f-4429-8085-ed10b9250fab.vbs"32⤵PID:4632
-
C:\Users\All Users\ssh\unsecapp.exe"C:\Users\All Users\ssh\unsecapp.exe"33⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a46329a-401e-4fe9-a4a4-818017b7682e.vbs"34⤵PID:5208
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2dcbfd-bc4a-4aee-9fd6-ac4dd1aed1d2.vbs"34⤵PID:5680
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63bbdc2f-e1b6-4466-8ee9-f26d97a45c94.vbs"32⤵PID:4956
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a0da81-0e26-47b1-996a-e4a3f3f3e092.vbs"30⤵PID:2064
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\541abfff-2d42-455c-b168-f4a773b90a42.vbs"28⤵PID:1540
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b8f60f8-bb11-44a4-9f5c-7e30b30d82aa.vbs"26⤵PID:4104
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72cb3dcb-888b-4e3f-ab09-f97efbef015f.vbs"24⤵PID:4452
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\758123bd-3852-4f4a-abf0-06cd4e85da09.vbs"22⤵PID:4156
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7f0804-7d5e-4e1f-8a07-cf9fb3d49a32.vbs"20⤵PID:5088
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\225f6c14-299f-405e-9349-3c244a6ebaed.vbs"18⤵PID:8
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\185c1a5f-ee23-4ed2-a2e4-c71e8df40275.vbs"16⤵PID:1064
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c59d457-4a64-4fc6-a7fb-fb34c2f2c61d.vbs"14⤵PID:4192
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b155350-63fa-44c9-a2b6-4249c58d6d76.vbs"12⤵PID:5716
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd1c9ce4-8dec-4246-bfc6-bffbf3824793.vbs"10⤵PID:3652
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72a6e0c1-76ff-4d42-bed0-4e3dc5c79f0f.vbs"8⤵PID:4936
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92e102a4-cf6e-4f3d-81aa-7bc6fef18627.vbs"6⤵PID:2428
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8ae3744-210e-41b8-998a-e1336f5e5306.vbs"4⤵PID:5756
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\dwmredir\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\ssh\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Documents and Settings\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\enterpriseresourcemanager\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\clb\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b0ecc167930705bfa9b3ce32ac4a7f67
SHA12efb60c1b290c833b5c932b7ef318efbfb6a9483
SHA256be9352f21b64df995d829fb01f1dda448dce93141a5afd24bce9e127aa8be654
SHA512b892d95dcabfcb6453b7ffac8685d73e77ad9ad8c0824216615b0aec2b71dd845eb95f437f43149872a53cd7bd5c950ed77133c0d6675240eca8a49a0b2a1f45
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
944B
MD55c56bc9516ee1aeea75a81d98481ee92
SHA11713f6c42d50fb29d62fc9af9732ddba5ec1d264
SHA2564289eb4ee8622c15b6257056e3db539193204c38f5508c2e1e776676177fea5f
SHA512be6af08ee11cd4d95aeb0badc2464207232c9de40b18b077e5b4070b245b494147667e9245ca49e9d51b527d5cb7d550eb7bf1ec20cc679fa9ad95ab9e31da31
-
Filesize
944B
MD5acd80d6d7114a61d8c01c77f78c805fb
SHA1f0b79e5fd09ae019fe95d994a5b32a6a6922172d
SHA2562d8d88440ac91d756e52b9029c25684ad2522f9dbb9c800f3929633529497818
SHA5121cc189cbcdd80466b3418694e025e7ad00b8da0b882096a6e1274e0544b103c3bfcc717f4975ae03eda9f1bca94f7280dcc910ca207d04e44ef8db287ee6a266
-
Filesize
944B
MD5dc1d0291bbd8e80c9703fb1f4b4d14dc
SHA1084009b8f1e67e03c9b7333293fbc00d3617948e
SHA2564a51e06db1301abc4ee1789a9b15be257835194db4bf1830ea1275e4fdebe78a
SHA51275672017d7b8eecd07b7cef153c1c2f3d8660f36fe312b0fd2b58f5e2d36945d6406a42b85158e7a721a7b859a3d4e52dc4988cf4f02e429da44f59df691a311
-
Filesize
944B
MD5ada23d35e4a3f1bc35ac8d393cd02675
SHA188dd6ddecec82aeafba2b6368078c7c70b88fcac
SHA25698d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72
SHA5120acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6
-
Filesize
710B
MD5e345d1587bee18316db0af7fc8a25b59
SHA13a8b0e014e17eb2e838e278a95ee9f4c8f4ce6d9
SHA2563fee873bec454c9eef774a5d2416bcd5ed4503e785527bf07843facae7229a23
SHA51269aae57260fa82880ba953a1e4dc4a031fbb021a31c14458ac112b517578d3902a03867599f41d4e56e71c7b31894006aaf351ec19835923c6f24dd35ad41bad
-
Filesize
711B
MD55bd3386549f7585b95730bc4267d2af0
SHA1b1610cedf916f873a87e3ea92257c91a9c01c080
SHA256bbf05ec5ca81de5b4650c75c43bda1fb6a21ba3417f1f8588358ce82127114f9
SHA512c47630700dd7d05aaa229d1f0b9b0f12235ab5f033f16b7779aea3556a91fd4a9e01d911e24ee859640bd6e22b90f7cd9496a53cc372ad3a7f9be36623dfaa7e
-
Filesize
711B
MD5d149631831711985b99a5d451ac388f1
SHA1fcfe6b47df9b22fb094811ec5af407f14c7df15e
SHA256e6652247b0ed14485ba703ed96bf750525f7dd2fa3a4511bb8f7da8d8d409288
SHA512dd6d82ef580a5045f8c3b1a9a400388a01baf85e8ea2b24c6f1d3dc99966f2f93741db135552cde89f7d3d091da0f7737b88283852403caf812ed2e9c9de5cb1
-
Filesize
711B
MD5af4982e8e4fdce4419afd14723c8d861
SHA1abc0f9e37ddff21dbbe9079f57757be6c20dce50
SHA256722225140c66b82641e89478823246613844a8c29e3b37d347e12a45cc70d757
SHA5126ab9c270bad2b6e31e7d6c2c62b036a5f54aaede816b2a7c45d7ab4c0568515400a9fe597e42daca26806650f9ac3929ef7fc1eeb37a79f813880b2f2813e1b2
-
Filesize
711B
MD5a005d9fcb884243a9d6ab143a0e5367d
SHA1da9055ec4cd0dd9e70c66abed5f821195e24ddf5
SHA2568ace5343d2fb9548a7306ed4a5c820fe1cca47b386faefec8b4e9decc6fb5419
SHA512cd273d628623f44ae238702647af0e09614a608f565d4b54adb37bad87af844c2de7719e01a4b47125a7a180cf82029c7f475a78860bb8b78d699ab2d2f30356
-
Filesize
711B
MD5ca9a690a75d9c090c0e7ff377061204b
SHA1a36f456110458fce2d63fc9db49cf898c379857b
SHA2563fcae95e2cbf023f20101330614d4b8087345ed187175083e6b1607079319b6b
SHA512e09c7943bcfaa9693c32bc335087998c1f69da78814a3c94df1aa635268fa2a1ced995a1fcd9c76ae05ea09b0f7a89ae16f87b0ed3021df32e4fe797537c3d75
-
Filesize
711B
MD58f36f0ac07167ca3c6b7f2bd94214c43
SHA1c013611df1ea679dcffbad7b72578c95440d63a3
SHA25603ff9b21a06c472975a12518f63b2f0236c2ecd231c5457e026b844a3efb827d
SHA512ea8a1732217097ba4b80c3a037a244fd52f922917ada28bdbb28c8e5987f0120994f11f637c7adb2b831a0c2a63a6b0ecf3f51e0281fd358f1f170704bff5726
-
Filesize
711B
MD50ebd457409baf89bffc0e7139a00ad0d
SHA1c9813fa46b47419a1ce48cfeb453fbc016c56ee6
SHA25639a109c002e309a501d239d6257e09a87ab48d48244b6458fa74cd0d2f79817c
SHA512d554a440ca3acc69c21b78ac250636aef8b99f6d491237e088daca5e4a36ebe58f75afd26946dfa747ab1158807f8d4becb39e45c82747264428a880940ed7c7
-
Filesize
199B
MD56f8fc4a9e22bd9a8fd8a58fb565f5b16
SHA1c9a01447e4a46d4b8984f9c4ec4d1cd15bfdbcf5
SHA256d72691643c13562a8e1234d735cb2d2d0d8087b096fb5cce9704a81cf96f1de0
SHA512c2b3ac42fe639cce7938b3f3b82e9794b127e9b408e3b398404af1f360c9fda8ca0f5bb976060d6ee35ad8e74d1524400c5de3e99682ee4774b17fde608645ea
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
711B
MD594a2c023bb19c7f93bca8557f050256b
SHA14c584a7441068605c38477fec6176d4b9b6a579c
SHA25609d22b4f4242228d90832af04b6f444a78e187772547aab27b3cf8b24b25817d
SHA5125536e927c5ca7ecf0e5cb765a4be74c6f617324bcaf289ea2a2b7a37550938d81fb9a59ec8083f752851d4ee414c4567688c4a3ae2b84348667c85b390b739d8
-
Filesize
711B
MD5938200b61cde9edc52ecd30a1189002a
SHA104fb92161e8583fa578b2ad4b6f945d4eb8acff7
SHA256bc5067bb0781bde0df555d6fb13d0d0874012d2720508bac10710bc21b52bb1c
SHA512e037ad1746f0d6946b258cd8c866b4a0e3bb2a0feb84dd38a5cbb688d59d976d587539190a6d2f156a15a07134f201815bd3a73997bf3218c85a1c744618a7a1
-
Filesize
710B
MD5e7432c581fdb11ee2657d469991a1481
SHA1b742a372076ea78dc28ad89185bd4014e6c45a68
SHA25627722dd2dc853c9f15b96735c50ddb28d73291da186532a550ef3c58d9bb65ab
SHA512c288a9394530e73d4533cefdd921e34fbe8f08871b3e4f5218e4b82ca849d7b1839f0e4164388523ebc1090248cf7e179dc84ad306fb257a8805deef4029b60a
-
Filesize
711B
MD545033ca2e5d2ce25c9779b7e6394085c
SHA19569535651ee74ee581c81ac98cda5d37fdf4b8b
SHA2560cea7eecce4b0d2283e9b2f4dc4bec967bf2fb316d069fcf955bb85b365081ed
SHA512a6e4b4eefeadd276d7417071135e57573513d07ec4bb0a68bc773c725c6b8aea389ca0d61b394c5d15bc159ee59ac76a6c02d1b3d67a74cf88bbf7e0c32d8d84
-
Filesize
487B
MD5664f26b46ad547e1a119bd9b851170a5
SHA1b0e267a94ffbd477fd7aa4c8087a2ad5f1c30361
SHA2564f7c2c037d3bb4fa218c373977be3a785468dde7d5c2d53b788f3fe5fc8f9ab3
SHA512935786fe92b3c847b0735cc0f2e86d2e5c3392a349823d28551c4ffc7998b617e5f22945694f16feef99cf7107953335d5263a218184e9ff005df06fb1a4374a
-
Filesize
711B
MD5b73570638e2c8147ce1a7d617492cb1a
SHA123ace6bf1406ba54b3e6fe5e5ad6d642cf0b8892
SHA256772fcfcda8d65d3fb2907dcf098937a48b63d5e9cda9559535ddd255c24c687a
SHA512b1b0bbaa202d813cd5a544ca57c6b40ad3ff2cbd35ca9e771397c628cb5b3e2096958a6670c50162f6f488182368f12370b7d25b074100a89ffbad9c94c42de1
-
Filesize
711B
MD5289b8778613e1519b43668e8dfb57d43
SHA1990d79d00791c0a1cf251707560ea1befb8c22b7
SHA2565be1bde1404ef72ebb41a149a65ad1c743fe5a7236852b8c2e40b81b32b0c641
SHA512468115cc51b8206c99aa0c1ed397c2c55fff2f67833fb9fd2ce62a5a594fe9d25d04d0419a0f5bd33c716f1287f2f82b732d690bf0700d9e7a5c60cc45995d63
-
Filesize
1.1MB
MD5f2df4754fe7548bb87c1b6a011922c71
SHA1abf203c368413b7029a4b762de65838008d0666d
SHA2563b2b784580c719e432fe5a69a3f43696538665eba0288a5c15580d7132e5af5e
SHA51277f96abf467a548e6cab9828f253d2cf1853baf47d8a9ce2609f3ca6757f4f165fda76c5cc2e409194549e8f3737603b637b87a54f5189a020853cd893a70d20
-
Filesize
1.1MB
MD5ff5eef1816b5037715c6da38464a8a3f
SHA1ba123a98299528f73ad8cbfa234d3fd9a78c47f5
SHA25666495902f22ee35be8d28b76ed4bee1a60e9b39bbddba2118e8dcac14ed24104
SHA512daa099d8a747e563a7371500abba63f9c1746eb6916d233949b20e99ab11408caac85e49638e3f5d14757180c53477ec1d9bf99f99d99636c17aa819d62d802c